[whatwg] More prohibited characters for unquoted attributes are needed
Ian Hickson
ian at hixie.ch
Mon Sep 14 04:25:26 PDT 2009
On Sun, 6 Sep 2009, Aryeh Gregor wrote:
>
> See some research here:
>
> http://code.google.com/p/html5lib/issues/detail?id=93
>
> It seems like in addition to whitespace and "'=<> , the characters
> U+0000 through U+0020 should be banned from unquoted attribute values,
> as well as U+0060 (backtick `), for the sake of compatibility.
On Mon, 7 Sep 2009, Geoffrey Sneddon wrote:
>
> Apparently Hixie had previously said he didn't want to change this as it
> will become a non-issue over time. I think it does matter due to the
> security issues it presents in existing UAs. Conforming markup (using
> elements/attributes allowed in HTML 4.01) should not cause JS to execute
> in one browser but not in another.
The right fix here is to have the browsers all implement the same parser
algorithm.
Validators are welcome to warn about this case, though.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list